OK clear, many thanks! Winny Op 25-01-16 om 09:45 schreef Christian
Heimes:
On 2016-01-25 08:17, Winfried de Heiden wrote:Great,Changing /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false to # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = true along with adding the windows realm to krb5.conf on the clients did the trick; I am able to obtain aan AD TGT ticket by using the KDC proxy Is there a special reason why "use_dns = false" was used in kdcproxy.conf?The current implementation of the DNS configuration feature is slow and reduce performance of KDC proxy requests. Every request has to fetch multiple SRV records and then resolve each entry in each record again. There is neither caching nor async DNS support, too. A co-worker has written a RFC to address the problem. The RFC hasn't been approved yet. https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00 Do you need dynamic configuration or can you get by with static configuration in krb5.conf? Christian |
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project